As more and more computers and other computing devices are interconnected through various networks, such as the Internet, computer security has become increasingly more important, particularly from invasions or attacks delivered over a network or over an information stream. As those skilled in the art and others will recognize, these attacks come in many different forms, including, but certainly not limited to, computer viruses, computer worms, system component replacements, denial of service attacks, even misuse/abuse of legitimate computer system features, all of which exploit one or more computer system vulnerabilities for illegitimate purposes. While those skilled in the art will recognize that the various computer attacks are technically distinct from one another, for purposes of the present invention and for simplicity in description, all malicious computer programs that spread on computer networks, such as the Internet, will be generally referred to hereinafter as computer malware or, more simply, malware.
When a computer system is attacked or “infected” by computer malware, the adverse results are varied, including disabling system devices; erasing or corrupting firmware, applications, or data files; transmitting potentially sensitive data to another location on the network; shutting down the computer system; or causing the computer system to crash. Yet another pernicious aspect of many, though not all, computer malware is that an infected computer system is used to infect other computer systems that are communicatively connected by a network connection.
A traditional defense against computer malware and, particularly, against computer viruses and worms, is antivirus software that is available from several software vendors. Most antivirus software identifies malware by matching patterns within data to what is referred to as a “signature” of the malware. Typically, antivirus software scans for malware signatures when certain events are scheduled to occur, such as when data is going to be written or read from an input/output (“I/O”) device. As known to those skilled in the art and others, computer users have ongoing needs to read and write data to I/O devices, such as hard drives, floppy disks, compact disks (“CDs”), etc. For example, a common operation provided by some software applications is to open a file stored on an I/O device and display the contents of the file on a computer display. However, since opening a file may cause malware associated with the file to be executed, antivirus software typically performs a scan or other analysis of the file before the open operation is satisfied. If malware is detected, the antivirus software that performed the scan may prevent the malware from being executed, for example, by causing the open operation to fail.
Typically, when a new malware is identified, software vendors provide a software update to antivirus software that contains a signature of the new malware. When the update is installed, the antivirus software is able to identify the new malware. However, existing systems are unable to easily determine if files on the computing device are capable of being infected with the new malware. Instead, every file on a computing device will typically be scanned when a previously unknown malware signature becomes available. Those skilled in the art and others will recognize that scanning a file for malware is a resource intensive process. As a result, the performance of the computing device may suffer when new malware is released on a communication network.
One proposed technique for preventing duplicative scans for malware is to categorize files on a computing device as either originating from trusted or untrusted sources. In this example, files from an untrusted source will be scanned every time a software update that contains a new malware signature is provided. However, files from trusted sources may not be scanned for malware if the integrity of the files can be verified. For example, a trusted source may provide a representation of a file that was processed with a function such as a hashing algorithm. Antivirus software may use the processed representation of the file to determine if the file was modified after the file was received from the trusted source. In instances when a file was not modified, a scan of the file is not performed. However, the method currently used to determine whether the file was modified after being received from the trusted source, includes comparing the processed representation of the file received from a trusted source to a newly computed representation of the file. In instances when the two processed representations of the files match, then the file was not modified after being received from the trusted source. Thus, for example, each time a new signature is received, the antivirus software would be required to process the representation of the file on the computing device with the same function used by the trusted source. Then the two processed representations of the file would be compared. In this example, the computational resources required to determine whether the file is still trusted before scanning the file, is roughly equivalent the resources required to simply perform an antivirus detection scan on the file. Therefore, the performance of the computing device is not significantly improved if the technique described above is implemented.